The U.S. Department of Justice (DOJ) announced Thursday that a federal grand jury charged a Chinese national for participating in a sophisticated hacking group based in China that was targeting large businesses in the U.S. The hacking group was allegedly responsible for the 2015 Anthem data breach.
Chinese Hacking Group Targeted US Businesses
The four-count indictment against Fujie Wang said Wang and other members conducted campaigns of intrusions into U.S.-based computer systems, including those of Anthem, a health insurance company, and three other businesses.
Assistant Attorney General Benczkowski said that the hacking group’s members committed one of the largest data breaches in U.S. history, violating the privacy rights of 78.8 million Americans by stealing their personally identifiable information (PII).
Assistant Director Matt Gorham praised Anthem for its prompt cooperation with the FBI, which played an important role in identifying the cybercriminals that were targeting the company.
Anthem Data Breach
Anthem made the data breach public in February 2015. According to the investigators, the first intrusion happened as early as May 13, 2014. The Chinese hacking group continued to target Anthem until January 2015. Meanwhile, it also started hacking three other companies in the technology, basic materials and communications services sectors.
It’s not clear why the DOJ did not name these three other firms, but presumably these companies have yet to make their own data breaches public, which means their customers may still be unaware that their data was exposed.
In Anthem’s case, the hackers stole sensitive data from 78.8 million Americans, including names, health identification numbers, dates of birth, Social Security numbers, addresses, telephone numbers, email addresses, employment information and income data.
Sophisticated Techniques Used
The hacking group members used sophisticated spearphishing techniques to target employees of the victim companies with relevant emails and hyperlinks. When employees clicked on those clicks, malware would download and install on their machines. The malware included a backdoor tool that gave attackers remote access to the machines and the company’s internal network.
According to the indictment, the defendants sometimes waited months to take further action after the machines were infected. First, they would do reconnaissance to see if there was anything worth stealing.
After they stole the data of interest, they encrypted it and sent it through multiple computers to destinations in China. Once the data was transferred, the defendants deleted the encrypted archives on the victims’ computer to avoid detection.
The DOJ alleged that defendant Wang owned two domain names connected to the criminal activity. One of the domains was associated with the backdoor installed in the computer systems of one of these unnamed victim businesses. The other domain was associated with an email Wang used to send the spearphishing messages to the employees of another victim business.
The FBI’s Indianapolis Field Office investigated the case with the help of several other cybercrime divisions within the DOJ.